Most of iptable setups contain INPUT -i lo -j ACCEPT
rule. Without it it's quite difficult to connect to any locally hosted stuff. However what is not entirely clear to me - is locally running process absolutely the only way to get caught by this line? I mean can it be exploited by something like delivery of crafted packet with src ip 127.0.0.1, dst 127.0.0.1 when ip forwarding is enabled on some interfaces?
答案1
I think if you would use two more lines as show below then events you described would be blocked:
-A INPUT -4 ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -6 ! -i lo -d ::1/128 -j REJECT
-A INPUT -i lo -j ACCEPT